- Arbitrary file read vulnerability caused due to improper validation in “MsiAdvertiseProduct” Windows
- Users left vulnerable as the security researcher released proof-of-concept before Microsoft’s release of a patch for the vulnerability
A new revelation yesterday has added to the growing list of zero-days found this year affecting the Windows operating system.
A security researcher who goes by the alias SandboxEscaper, yesterday released a proof-of-concept (PoC) for a newly discovered zero-day bug in Microsoft’s Windows OS.
This new vulnerability results from an arbitrary file read flaw that could allow a user account without administrator privileges to read any file. A malicious program could also exploit this flaw to access all the data on the target Windows computer.
Microsoft has not yet released an official patch for this vulnerability so it leaves the Windows users in a precarious situation as the cybercriminals can exploit the users with the proof-of-concept published by SandboxEscaper.
What causes the vulnerability?
The vulnerability is caused due to an improper validation in “MsiAdvertiseProduct” function of Windows. The function is used to generate an advertise script or advertise a product to the computer, and enable the installer to write to a script the registry and shortcut information used to assign or publish a product.
The researcher stated that the function could be abused to perform arbitrary file read by forcing the installer service to make a copy of any file as SYSTEM privileges and also read its contents.
The researcher explained the severity of the validation flaw further, saying, “Even without an enumeration vector, this is still bad news, because a lot of document software, like office, will actually keep files in static locations that contain the full path and file names of recently opened documents. Thus by reading files like this, you can get filenames of documents created by other users…...the filesystem is a spider web and references to user-created files can be found everywhere.. so not having an enumeration bug is not that big of a deal."
Dubious research ethics
The researcher shared a video demonstrating the vulnerability and also posted the link to his Github page containing the proof-of-concept (PoC) exploit for the vulnerability. However, his Github account was soon taken down due to the risk of threat actors using the exploit. Leaking Windows zero-day flaws publicly has become a norm for SandboxEscaper in the recent months.
Earlier this year in August, the researcher exposed a local privilege escalation zero-day vulnerability in Microsoft Windows Task Scheduler. The issue was caused due to errors in the handling the Advanced Local Procedure Call (ALPC) service. It was discovered that exploits in the wild used this zero-day vulnerability before Microsoft fixed it in the September 2018 Security Patch Tuesday Updates.
This was followed by another PoC exploit from the researcher in October. This PoC was for a privilege escalation zero-day in Microsoft Data Sharing which would allow a user without administrator privileges to delete critical system files on the target Windows computer.
Dropping an exploit before a patch release is an unusual practice for an ethical security researcher. However, SandboxEscaper has done this at least twice earlier by publishing exploits for two unpatched Windows zero-day vulnerabilities. The third such instance in recent months for the same researcher has definitely raised questions within the security community.
Nevertheless, it is important for Microsoft to address the issues as quickly as possible to prevent any attacks on its users.